{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1119 - Automated Collection",
    "\n",
    "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - Automated Collection Command Prompt\nAutomated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_command_prompt_collection\nto see what was collected.\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nmkdir %temp%\\T1119_command_prompt_collection >nul 2>&1\ndir c: /b /s .docx | findstr /e .docx\nfor /R c: %f in (*.docx) do copy %f %temp%\\T1119_command_prompt_collection\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1119 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - Automated Collection PowerShell\nAutomated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_powershell_collection\nto see what was collected.\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `powershell`\n```powershell\nNew-Item -Path $env:TEMP\\T1119_powershell_collection -ItemType Directory -Force | Out-Null\nGet-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination $env:TEMP\\T1119_powershell_collection}\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1119 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - Recon information for export with PowerShell\ncollect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt\nto see what was collected.\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `powershell`\n```powershell\nGet-Service > $env:TEMP\\T1119_1.txt\nGet-ChildItem Env: > $env:TEMP\\T1119_2.txt\nGet-Process > $env:TEMP\\T1119_3.txt\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1119 -TestNumbers 3"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #4 - Recon information for export with Command Prompt\ncollect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt\nto see what was collected.\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nsc query type=service > %TEMP%\\T1119_1.txt\ndoskey /history > %TEMP%\\T1119_2.txt\nwmic process list > %TEMP%\\T1119_3.txt\ntree C:\\AtomicRedTeam\\atomics > %TEMP%\\T1119_4.txt\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1119 -TestNumbers 4"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as [Data Staged](https://attack.mitre.org/techniques/T1074). As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001)."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Shield Active Defense\n### Pocket Litter \n Place data on a system to reinforce the legitimacy of the system or user. \n\n Pocket Litter is data placed on a system to convince an adversary that the system and users are real.  Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user's computer.  This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.).\n#### Opportunity\nIn an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment.\n#### Use Case\nA defender can stage a variety of pocket litter files to see if the adversary collect any of those files in an automated manner.\n#### Procedures\nWhen staging a decoy system and user account, populate a user's folders and web history to make it look realistic to an adversary.\nStage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}